1
0
Fork 0
mirror of https://github.com/rails/rails.git synced 2022-11-09 12:12:34 -05:00

Rename master_key => primary_key

This commit is contained in:
Jorge Manrubia 2021-03-19 10:31:37 +01:00
parent fd3fbcc4eb
commit 28145c3cee
11 changed files with 23 additions and 22 deletions

View file

@ -47,7 +47,7 @@ end
# Encryption
ActiveRecord::Encryption.configure \
master_key: "test master key",
primary_key: "test master key",
deterministic_key: "test deterministic key",
key_derivation_salt: "testing key derivation salt",
support_unencrypted_data: true

View file

@ -4,7 +4,7 @@ module ActiveRecord
module Encryption
# Container of configuration options
class Config
attr_accessor :master_key, :deterministic_key, :store_key_references, :key_derivation_salt,
attr_accessor :primary_key, :deterministic_key, :store_key_references, :key_derivation_salt,
:support_unencrypted_data, :encrypt_fixtures, :validate_column_size, :add_to_filter_parameters,
:excluded_from_filter_parameters, :extend_queries

View file

@ -17,12 +17,12 @@ module ActiveRecord
delegate name, to: :context
end
def configure(master_key:, deterministic_key:, key_derivation_salt:, **properties) #:nodoc:
config.master_key = master_key
def configure(primary_key:, deterministic_key:, key_derivation_salt:, **properties) #:nodoc:
config.primary_key = primary_key
config.deterministic_key = deterministic_key
config.key_derivation_salt = key_derivation_salt
context.key_provider = ActiveRecord::Encryption::DerivedSecretKeyProvider.new(master_key)
context.key_provider = ActiveRecord::Encryption::DerivedSecretKeyProvider.new(primary_key)
properties.each do |name, value|
[:context, :config].each do |configurable_object_name|

View file

@ -19,7 +19,7 @@ module ActiveRecord
random_secret = generate_random_secret
ActiveRecord::Encryption::Key.new(random_secret).tap do |key|
key.public_tags.encrypted_data_key = encrypt_data_key(random_secret)
key.public_tags.encrypted_data_key_id = active_master_key.id if ActiveRecord::Encryption.config.store_key_references
key.public_tags.encrypted_data_key_id = active_primary_key.id if ActiveRecord::Encryption.config.store_key_references
end
end
@ -28,23 +28,23 @@ module ActiveRecord
secret ? [ActiveRecord::Encryption::Key.new(secret)] : []
end
def active_master_key
@active_master_key ||= master_key_provider.encryption_key
def active_primary_key
@active_primary_key ||= primary_key_provider.encryption_key
end
private
def encrypt_data_key(random_secret)
ActiveRecord::Encryption.cipher.encrypt(random_secret, key: active_master_key.secret)
ActiveRecord::Encryption.cipher.encrypt(random_secret, key: active_primary_key.secret)
end
def decrypt_data_key(encrypted_message)
encrypted_data_key = encrypted_message.headers.encrypted_data_key
key = master_key_provider.decryption_keys(encrypted_message)&.collect(&:secret)
key = primary_key_provider.decryption_keys(encrypted_message)&.collect(&:secret)
ActiveRecord::Encryption.cipher.decrypt encrypted_data_key, key: key if key
end
def master_key_provider
@master_key_provider ||= DerivedSecretKeyProvider.new(ActiveRecord::Encryption.config.master_key)
def primary_key_provider
@primary_key_provider ||= DerivedSecretKeyProvider.new(ActiveRecord::Encryption.config.primary_key)
end
def generate_random_secret

View file

@ -280,7 +280,7 @@ To keep using the current cache store, you can turn off cache versioning entirel
initializer "active_record_encryption.configuration" do |app|
ActiveRecord::Encryption.configure \
master_key: app.credentials.dig(:active_record_encryption, :master_key),
primary_key: app.credentials.dig(:active_record_encryption, :primary_key),
deterministic_key: app.credentials.dig(:active_record_encryption, :deterministic_key),
key_derivation_salt: app.credentials.dig(:active_record_encryption, :key_derivation_salt),
**config.active_record.encryption

View file

@ -558,7 +558,7 @@ db_namespace = namespace :db do
Add this entry to the credentials of the target environment:#{' '}
active_record_encryption:
master_key: #{SecureRandom.alphanumeric(32)}
primary_key: #{SecureRandom.alphanumeric(32)}
deterministic_key: #{SecureRandom.alphanumeric(32)}
key_derivation_salt: #{SecureRandom.alphanumeric(32)}
MSG

View file

@ -2,6 +2,7 @@
require "cases/encryption/helper"
require "models/pirate"
require "models/book"
class ActiveRecord::Encryption::ConfigurableTest < ActiveRecord::TestCase
test "can access context properties with top level getters" do

View file

@ -19,7 +19,7 @@ class ActiveRecord::Encryption::EnvelopeEncryptionKeyProviderTest < ActiveRecord
test "generated random keys carry their secret encrypted with the master key" do
key = @key_provider.encryption_key
encrypted_secret = key.public_tags.encrypted_data_key
assert_equal key.secret, ActiveRecord::Encryption.cipher.decrypt(encrypted_secret, key: @key_provider.active_master_key.secret)
assert_equal key.secret, ActiveRecord::Encryption.cipher.decrypt(encrypted_secret, key: @key_provider.active_primary_key.secret)
end
test "decryption_key_for returns the decryption key for a message that was encrypted with a generated encryption key" do
@ -30,20 +30,20 @@ class ActiveRecord::Encryption::EnvelopeEncryptionKeyProviderTest < ActiveRecord
end
test "work with multiple keys when config.store_key_references is false" do
ActiveRecord::Encryption.config.master_key = ["key 1", "key 2"]
ActiveRecord::Encryption.config.primary_key = ["key 1", "key 2"]
assert_encryptor_works_with @key_provider
end
test "work with multiple keys when config.store_key_references is true" do
ActiveRecord::Encryption.config.master_key = ["key 1", "key 2"]
ActiveRecord::Encryption.config.primary_key = ["key 1", "key 2"]
ActiveRecord::Encryption.config.store_key_references = true
assert_encryptor_works_with @key_provider
end
private
def assert_multiple_master_keys
assert Rails.application.credentials.dig(:active_record_encryption, :master_key).length > 1
def assert_multiple_primary_keys
assert Rails.application.credentials.dig(:active_record_encryption, :primary_key).length > 1
end
end

View file

@ -141,7 +141,7 @@ class ActiveRecord::TestCase
include ActiveRecord::Encryption::EncryptionHelpers, ActiveRecord::Encryption::PerformanceHelpers
# , PerformanceHelpers
ENCRYPTION_ERROR_FLAGS = %i[ master_key store_key_references key_derivation_salt support_unencrypted_data
ENCRYPTION_ERROR_FLAGS = %i[ primary_key store_key_references key_derivation_salt support_unencrypted_data
encrypt_fixtures ]
setup do

View file

@ -226,7 +226,7 @@ end
# Encryption
ActiveRecord::Encryption.configure \
master_key: "test master key",
primary_key: "test master key",
deterministic_key: "test deterministic key",
key_derivation_salt: "testing key derivation salt"

View file

@ -28,7 +28,7 @@ $ bin/rails db:encryption:init
Add this entry to the credentials of the target environment:
active_record.encryption:
master_key: EGY8WhulUOXixybod7ZWwMIL68R9o5kC
primary_key: EGY8WhulUOXixybod7ZWwMIL68R9o5kC
deterministic_key: aPA5XyALhf75NNnMzaspW7akTfZp0lPY
key_derivation_salt: xEY0dt6TZcAMg52K7O84wYzkjvbA62Hz
```